Vulnerability Response process is typically described as half automated and half manual as you can see in this schema:

Let's focus on the automated part of the process, if you are interested in the manual process please click here

1. Everything start with a good CMDB, your CMDB is populated with all the CIs (Configuration Item Devices) that describe the IT infrastructure of your organization
2. Periodically the entire CMDB will be scanned to retrieve all the vulnerabilities with a third-party scanner (Qualys, Tenable, Rapid7, etc...)
3. The results of the scanning will be a list of Vulnerable Items. A vulnerable Item is a match between the CI and the vulnerability (as described by NIST in their NVD Database)
4. The urgency of your Vulnerable Item Response typically depends on the CI Business Impact (or any Business Service that have a dependency with that CI) and the CVSS score of the vulnerability. The combination of these 2 factors it's defined as an algorithm in the Risk Score Calculator and will calculate the Risk Score for each Vulnerable Item.
5. The Vulnerable Items can be a grouped as Vulnerability Groups typically grouped per vulnerability type or CI type.
6. The urgency of the Vulnerability Group (Risk Score) strongly depends on the urgency of the Vulnerable Items (Risk Score) that are included. This Vulnerability Group Risk Score is calculated using Rollup Calculator, in particular these factors can affect the resulted risk score: Maximum risk score, Average risk score . Count of vulnerable items
7. The Vulnerable Group is a task:
8. 1. Can be automatically assigned to a User Group (defining proper Assignment Rules
   2. Can have SLA related to guarantee a good level of the Vulnerability Response Service